Re: [Maria-discuss] CentOS Docker Container Image not only for OpenShift
Thanks for the feedback, Kolbe. On 10/23/2015 06:41 PM, Kolbe Kegel wrote:
I find the use of environment variables to hold passwords to be a really troubling feature of the way many Docker images are built and used.
I agree this is not a very good solution and we need to come up with something better, that will also work in kubernetes. If anybody knows about something handy, I'd be glad to hear about it. So far, we've just used what other images do, which is not ideal at all.
In an environment where Docker linking is not used, perhaps the environment variable problem is somewhat less severe. But I'm really troubled by this statement:
"Changing database passwords through SQL statements or any way other than through the environment variables aforementioned will cause a mismatch between the values stored in the variables and the actual passwords. Whenever a database container starts it will reset the passwords to the values stored in the environment variables."
That sounds to me like a security catastrophe.
In cases user cares about keeping the container password unknown to other containers and docker daemon itself, the stack can be initialized with some init-only root password and changed afterwards. If I understand what your concern is, it's the reset of the password, right? I guess we may change that behavior to not do anything if password is not set and data directory is already initialized. Is it something what would help here from your point of view? Honza
Kolbe
On Oct 22, 2015, at 11:26 PM, Honza Horak <hhorak@redhat.com> wrote:
For those who are interested in containers, I'd like to share a Docker image that we've produced in Red Hat in cooperation with OpenShift guys. And will be really glad for any feedback you have.
The image can be used in OpenShift or run directly. But what I find really interesting is a PoC implementation of master/slave, that is not documented as official feature yet, but it can be used as simple as that:
docker pull centos/mariadb-100-centos7
docker run -e MYSQL_MASTER_USER=master \ -e MYSQL_MASTER_PASSWORD=master \ -e MYSQL_DATABASE=db \ -e MYSQL_USER=user \ -e MYSQL_PASSWORD=foo \ -e MYSQL_ROOT_PASSWORD=rootpasswd \ -d centos/mariadb-100-centos7 mysqld-master
docker run -e MYSQL_MASTER_USER=master \ -e MYSQL_MASTER_PASSWORD=master \ -e MYSQL_DATABASE=db \ -e MYSQL_MASTER_SERVICE_NAME=<master_ip> \ -d centos/mariadb-100-centos7 mysqld-slave
More info about the image available here: https://hub.docker.com/r/centos/mariadb-100-centos7/
As said above, any feedback welcome :)
Honza
_______________________________________________ Mailing list: https://launchpad.net/~maria-discuss Post to : maria-discuss@lists.launchpad.net Unsubscribe : https://launchpad.net/~maria-discuss More help : https://help.launchpad.net/ListHelp
2015-10-23 22:31 GMT+03:00 Honza Horak <hhorak@redhat.com>:
That sounds to me like a security catastrophe.
In cases user cares about keeping the container password unknown to other containers and docker daemon itself, the stack can be initialized with some init-only root password and changed afterwards. If I understand what your concern is, it's the reset of the password, right? I guess we may change that behavior to not do anything if password is not set and data directory is already initialized. Is it something what would help here from your point of view?
Suggestion: use unix_socket for mysql root as the authentication method, and you don't need a password for it at all, thus avoiding the password management problem when creating the container. Once to container is running, ssh into the centos7-mariadb-container and create the user accounts with the passwords you need. You don't need to store them as part of the container in plain-text anywhere, just save them at the other end of the connection where it is actually needed. Create docker container for master mysqld: docker run -e MYSQL_DATABASE=db -d centos/mariadb-100-centos7 mysqld-master Create users into the newly bootstrapped database: docker exec -it <container id> mysql -u root -e 'create user appuser identified by password.....' db docker exec -it <container id> mysql -u root -e 'create user slaveuser identified by password.....' db Alternatively you could create these users directly into the database before running it in a container, or they might exist already when you run the container on an old database. You anyway need to factor in that the database must be on a data volume and that you will be restarting the mysqld container using the same 'docker run' command above. Then you save the appuser and slaveuser credentials into your provisioning system and use them when you start the apps or slaves that want to connect to you master mysqld container. Slaves could start with: docker run -e MYSQL_MASTER_USER=slaveuser \ -e MYSQL_MASTER_PASSWORD=<xxx> \ -e MYSQL_DATABASE=db \ -e MYSQL_MASTER_SERVICE_NAME=<master_ip> \ -d centos/mariadb-100-centos7 mysqld-slave One password is still here, but it might be required here so that the slave can reconnect any any time. Storing the password somehow in a file on the slave container would perhaps be the best avenue to solve the insecure env variables issue. Note: I haven't actually tested if this really works, I am just throwing ideas.
participants (2)
-
Honza Horak -
Otto Kekäläinen